I made my first form:
<?xml version="1.0"?>
<form xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Ui:etc/ui_configuration.xsd">
<argument name="data" xsi:type="array">
<item name="js_config" xsi:type="array">
<item name="provider" xsi:type="string">customer_form.customer_form_data_source</item>
</item>
<item name="label" xsi:type="string" translate="true">Blogpost Actions</item>
<item name="reverseMetadataMerge" xsi:type="boolean">true</item>
</argument>
<settings>
<buttons>
<button name="save" class="MageGuideFirstModuleBlockAdminhtmlEditSaveButton"/>
<button name="back" class="MageGuideFirstModuleBlockAdminhtmlEditBackButton"/>
</buttons>
<layout>
<navContainerName>content</navContainerName>
<type>tabs</type>
</layout>
<deps>
<dep>add_blogpost.blogpost_data_source</dep>
</deps>
</settings>
<fieldset name="blogpost">
<settings>
<label translate="true">Blog Post</label>
</settings>
<field name="blog_post_id" formElement="input">
<argument name="data" xsi:type="array">
<item name="config" xsi:type="array">
<item name="source" xsi:type="string">blogpost_data_source</item>
</item>
</argument>
<settings>
<dataType>text</dataType>
<visible>false</visible>
</settings>
</field>
<field name="title" formElement="input">
<argument name="data" xsi:type="array">
<item name="config" xsi:type="array">
<item name="source" xsi:type="string">blogpost_data_source</item>
</item>
</argument>
<settings>
<label>Title</label>
<dataType>text</dataType>
<visible>true</visible>
</settings>
</field>
<field name="content" sortOrder="10" formElement="wysiwyg" template="ui/form/field">
<argument name="data" xsi:type="array">
<item name="config" xsi:type="array">
<item name="source" xsi:type="string">page</item>
<item name="wysiwygConfigData" xsi:type="array">
<item name="is_pagebuilder_enabled" xsi:type="boolean">false</item>
<item name="toggle_button" xsi:type="boolean">true</item>
<item name="height" xsi:type="string">200px</item>
<item name="add_variables" xsi:type="boolean">true</item>
<item name="add_widgets" xsi:type="boolean">true</item>
<item name="add_images" xsi:type="boolean">true</item>
<item name="add_directives" xsi:type="boolean">true</item>
</item>
</item>
</argument>
<settings>
<label translate="true">Contents</label>
<dataScope>content</dataScope>
</settings>
<formElements>
<wysiwyg>
<settings>
<rows>5</rows>
<wysiwyg>true</wysiwyg>
</settings>
</wysiwyg>
</formElements>
</field>
</fieldset>
<dataSource name="blogpost_data_source">
<argument name="data" xsi:type="array">
<item name="js_config" xsi:type="array">
<item name="component" xsi:type="string">Magento_Ui/js/form/provider</item>
</item>
</argument>
<settings>
<submitUrl path="*/*/save"/>
</settings>
<dataProvider
class="MageGuideFirstModuleModelBlogPostDataProvider"
name="blogpost_data_source">
<settings>
<requestFieldName>id</requestFieldName>
<primaryFieldName>blog_post_id</primaryFieldName>
</settings>
</dataProvider>
</dataSource>
</form>
And I handle the submission like this:
<?php
namespace MageGuideFirstModuleControllerAdminhtmlBlogpostForm;
use LaminasStdlibParametersInterface;
use MageGuideFirstModuleModelBlogPost;
use MagentoBackendAppAction;
class Save extends Action
{
protected BlogPost $blogPostModel;
public function __construct(
MagentoBackendAppActionContext $context,
BlogPost $blogPostModel
) {
$this->blogPostModel = $blogPostModel;
parent::__construct($context);
}
public function execute()
{
/**
* @var ParametersInterface
*/
$data = $this->getRequest()->getPostValue();
// I assume that there's no id for now
// @todo check what happens upon id providing
$this->blogPostModel->setTitle($data['blogpost']['title']);
$this->blogPostModel->setContent($data['blogpost']['content']);
}
protected function _isAllowed()
{
return true;
}
}
Does Magento 2.4 sanitizes data for XSS or I upon model saving I must sanitize the data on my own (either via php’s strip_tags or via HtmlPurifier)?